Front Cover -- Business Continuity and Disaster Recovery Planning for IT Professionals -- Copyright -- Contents -- Acknowledgments -- About the Authors -- Introduction -- Chapter 1: Business Continuity and Disaster Recovery Overview -- Introduction -- Business continuity and disaster recovery defined -- Components of business -- People in BC/DR planning -- Process in BC/DR planning -- Technology in BC/DR planning -- The cost of planning versus the cost of failure -- People -- Process -- Technology -- Types of disasters to consider -- Business continuity and disaster recovery planning basics -- Project initiation -- Risk assessment -- Business impact analysis -- Mitigation strategy development -- Plan development -- Training, testing, and auditing -- Plan maintenance -- Summary -- Key concepts -- BC/DR defined -- Components of business -- The cost of planning versus the cost of failure -- Types of disasters to consider -- BC/DR planning basics -- References -- Chapter 2: Legal and Regulatory Obligations Regarding Data and Information Security -- Introduction -- Impact of recent history -- Current regulatory environment -- Source of legal obligations -- Scope of legal obligations -- Provide ``reasonable security ́́-- Provide security breach notification -- Information security management -- Responsibility lies at the top -- Written Information Security Program (WISP) -- Categories that must be addressed -- Third-party service provider arrangements -- Education -- Did you know? -- Summary -- Key concepts -- Impact of recent history -- Current regulatory environment -- Information security management -- References -- Case Study: Legal Obligations Regarding Data Security -- Contributor profile -- Deanna Conn, Partner, Quarles & Brady, LLP -- Background -- The Sony PlayStation incident -- State laws regarding data security.

Notice of security breach laws -- Definition of personal information -- Notification procedure -- Penalties -- Safeguarding personal data state laws -- Federal laws regarding data security -- U.S. House of representatives proposed bill -- U.S. Senate response -- Executive order-improving critical infrastructure cyber security -- Conclusion -- References -- Chapter 3: Project Initiation -- Introduction -- Elements of project success -- Executive support -- User involvement -- Experienced project manager -- Clearly defined project objectives -- Clearly defined project requirements -- Clearly defined scope -- Shorter schedule, multiple milestones -- Clearly defined project management process -- Project plan components -- Project initiation or project definition -- Problem and mission statement -- Potential solutions -- Requirements and constraints -- Success criteria -- Project proposal -- Estimates -- Project sponsor -- Forming the project team -- Organizational -- Technical -- Logistical -- Political -- Project organization -- Project objectives -- Business continuity plan -- Continuity of operations plan -- Disaster recovery plan -- Crisis communication plan -- Cyber incident response plan -- Occupant emergency plan -- Project stakeholders -- Project requirements -- Project parameters -- Project infrastructure -- Project processes -- Team meetings -- Reporting -- Escalation -- Project progress -- Change control -- Quality control -- Project communication plan -- Project planning -- Work breakdown structure -- Critical path -- Project implementation -- Managing progress -- Managing change -- Project tracking -- Project close out -- Key contributors and responsibilities -- Information technology -- Experience working on a cross-departmental team -- Ability to communicate effectively -- Ability to work well with a wide variety of people.

Experience with critical business and technology systems -- IT project management leadership -- Human resources -- Facilities/security -- Finance/legal -- Warehouse/inventory/manufacturing/research -- Purchasing/logistics -- Marketing and sales -- Public relations -- Operations -- Project definition -- Business requirements -- Functional requirements -- Technical requirements -- Business continuity and disaster recovery project plan -- Project definition, risk assessment -- Business impact analysis -- Risk mitigation strategies -- Plan development -- Emergency preparation -- Training, testing, auditing -- Plan maintenance -- Summary -- Key concepts -- Elements of project success -- Project plan components -- Key contributors and responsibilities -- Project definition -- Business continuity and disaster recovery plan -- References -- Business Continuity and Disaster Recovery in Energy/Utilities -- Introduction -- Integrating BC/DR requirements into IT governance -- BC/DR requirements definition -- IT service level definition -- Application recovery procedures -- Summary of integrating BC/DR requirements into IT governance -- Improving BC/DR recovery and risk mitigation strategies -- Ensuring access to BC/DR documentation in a disaster -- Change approval board and technical change review committees -- Security control testing -- Separation of duties -- Centralized security vulnerability assessment -- IT network vulnerability assessment -- Security control baselines and change detection -- Data center and network -- Compute and data -- Self-service application failover and failback -- Industrial control systems -- Summary of improving BC/DR recovery and risk mitigation strategies -- Improving BC/DR testing -- Recovery from actual incidents: Postmortems and documenting lessons learned -- Scheduled BC/DR tests -- Corporate data center redundancy testing.

EMS SCADA EOC testing -- SOx 404 application recovery testing -- NERC CIP-009 recovery testing -- Enterprise business continuity testing -- Summary of scheduled BC/DR testing -- Summary of best practices and key concepts -- References -- Chapter 4: Risk Assessment -- Introduction -- Risk management basics -- Risk management process -- Threat assessment -- Vulnerability assessment -- Impact assessment -- Risk mitigation strategy development -- People, process, technology, and infrastructure in risk management -- People -- Process -- Technology -- Infrastructure -- IT-Specific risk management -- IT Risk management objectives -- The system development lifecycle model -- Risk assessment components -- Information gathering methods -- Natural and environmental threats -- Fire -- Floods -- Severe winter storms -- Electrical storms -- Drought -- Earthquake -- Tornados -- Hurricanes/typhoons/cyclones -- Tsunamis -- Volcanoes -- Avian Flu/pandemics -- Human threats -- Fire -- Theft, sabotage, and vandalism -- Labor disputes -- Workplace violence -- Terrorism -- Chemical or biological hazards -- War -- Cyber threats -- Cyber crime -- Loss of records or data-theft, sabotage, vandalism -- IT system failure-theft, sabotage, vandalism -- Infrastructure threats -- Building-specific failures -- Public transportation disruption -- Loss of utilities -- Disruption to oil or petroleum supplies -- Food or water contamination -- Regulatory or legal changes -- Threat checklist -- Threat assessment methodology -- Quantitative threat assessment -- Qualitative threat assessment -- Vulnerability assessment -- People, process, technology, and infrastructure -- People -- Process -- Technology -- Infrastructure -- Vulnerability assessment -- Summary -- Key concepts -- Risk management basics -- Risk assessment components -- Threat assessment methodology -- Vulnerability assessment.

References -- Business Continuity and Disaster Recovery in Healthcare -- Introduction to healthcare IT -- Types of healthcare organizations -- Hospitals -- Skilled nursing facility -- Physician offices -- Ambulatory clinics -- Pharmacies -- Other types of organizations -- Summary of healthcare organizations -- The rising cost of healthcare -- Governmental incentives and penalties -- HIEs and Accountable Care Organizations -- Health information exchanges -- Accountable Care Organizations -- Integration of healthcare IT and medical equipment -- Consumer-driven healthcare -- Real-time data -- Summary -- Regulatory environment -- Centers for Medicare and Medicaid Services/Joint Commission on Accreditation of Healthcare Organizations -- U.S. Food and Drug Administration -- Health Insurance Portability and Accountability Act -- Health Information Technology for Economic and Clinical Health -- Payment Card Industry -- State and local requirements -- Healthcare IT risk management -- Patient safety -- Patient care -- Organizational solvency -- Facility management -- Technical needs-Healthcare IT architecture -- Clinical systems -- Business systems -- Types of data -- Structured -- Unstructured -- Semi-structured -- Types of systems and storage -- Network core, medical network, and guest network -- Wireless/RFID -- Security infrastructure -- End user devices -- Healthcare operational needs -- Admitting -- Insurance verification and billing services -- Clinical care -- Physician -- Nursing -- Support services -- Interoperability among disparate systems -- Electronic medical record -- Diagnostic imaging -- Medical equipment -- Food services -- Environmental services -- Billing and payment systems -- Payroll -- Human resources -- Current environment and new technology -- Advances in data storage and replication -- Mobile devices.

Virtualization and cloud computing.